cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
710
Views
0
Helpful
12
Replies

ASA 5540 Not Authenticating

wdhowellsr
Level 1
Level 1

Our ASA 5540 has just started to deny all inbound connections for VPN with the following messages:

106023 Deny udp src dmz:...

713048 Error processing payload:

713048 Sending IKE Delete No Reason Prvd

713902 Removing peer from peer tabl fld

713903 Error. Unable to Remove Peer

Upon connection regardless of user when username and password are entered the fields immediately clear and no login occurs.

1 Accepted Solution

Accepted Solutions

Go figure.... it usually ends on a human mistake :P

View solution in original post

12 Replies 12

Ivan Martinon
Level 7
Level 7

Can you post here the next debugs "debug crypto isakmp 50"? To check whether authentication is the issue, you can go ahead and issue a test command on the asa for your authentication "test aaa authentication " type in the username and password and see if it fails or passes.

Will do. Just a side point is that the asa time was actually two hours off of the accurate time. It was reset to the current time but authentication still did not work. I'm getting the debus now and will post them.

Actually the good news is that we can access the asa directly but apparently the connection between the asa and the active directory server is not working. When we tested authentication it says the server is unavailable.

OK, what is the authentication protocol in use? Can he ASA reach it via ping?

We can ping the AD server from ASA. The client is using UDP, the AD Group is using RADIUS but when authenticating from within asa authentication server is unavailable.

So the protocol that you are using to communicate the ASA to the AD is radius, assuming via AIS, what do you see on the Event Viewer of your server?

Sorry Typo, I meant IAS, do you see the authentication request on the server? run a debug radius all on the asa with the test, do you see any error there?

Your going to love this. First I'm actually a contract programmer analyst developing a web reporting module for an insurance company. Second the IT department is limited and they ask my help ocassionaly.

Now for the good part.

The problem first started happening on Saturday afternoon. Obviously something changed at that point.

wait for it..

..

..

..

The Manager of IT decided to set the IAS server to dynamic IP and use the static IP on another server.

That ones a keeper.

Go figure.... it usually ends on a human mistake :P

The pointy haired boss strikes again. GRR!

He changed the IAS server to a new static IP on a different subnet and updated DNS to point to the new IP.

Even when the ASA is configured to point to the IP of the IAS server it fails authentication even though it can being pinged.

I have a gut feeling that there is DNS corruption somewhere and that while the ASA can ping the server IP it fails on authentication due to incorrect name resolution.

My simple question is if there is a way to hardcode server name, ip and subnet mask in the ASA so that no matter what he screws up on the network as long as we keep the IAS and ASA configured properly it would work.

P.S.

This is why I got out of network engineering.

Just a heads up. If you mess around with the DNS and IP addressees to much just remember to clear out your DNS cache and tables on your ASA.

Problem Solved,

Your going to love this. First I'm actually a contract programmer analyst developing a web reporting module for an insurance company. Second the IT department is limited and they ask my help ocassionaly.

Now for the good part.

The problem first started happening on Saturday afternoon. Obviously something changed at that point.

wait for it..

..

..

..

The Manager of IT decided to set the IAS server to dynamic IP and use the static IP on another server.

That ones a keeper.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: